<?xml version="1.0" encoding="utf-8"?>
<!-- This Source Code Form is subject to the terms of the Mozilla Public
   - License, v. 2.0. If a copy of the MPL was not distributed with this
   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
  "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"[
  <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
  %brandDTD;
]>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Signing &amp; Encrypting Messages</title>
<link rel="stylesheet" href="helpFileLayout.css"
  type="text/css"/>
</head>
<body>

<h1 id="signing_and_encrypting_messages">Signing &amp; Encrypting Messages</h1>

<div class="contentsBox">In this section:
  <ul>
    <li><a href="#about_digital_signatures_and_encryption">About Digital
      Signatures &amp; Encryption</a></li>
    <li><a href="#getting_other_peoples_certificates">Getting Other
      People&apos;s Certificates</a></li>
    <li><a href="#configuring_security_settings">Configuring Security
      Settings</a></li>
    <li><a href="#signing_and_encrypting_a_new_message">Signing &amp;
      Encrypting a New Message</a></li>
    <li><a href="#reading_signed_and_encrypted_messages">Reading Signed &amp;
      Encrypted Messages</a></li>
    <li><a href="#message_security_compose_window">Message Security -
      Compose Window</a></li>
    <li><a href="#message_security_received_message">Message Security -
      Received Message</a></li>
  </ul>
</div>

<h2 id="about_digital_signatures_and_encryption">About Digital Signatures &amp;
  Encryption </h2>

<p>When you compose a mail message, you can choose to attach your digital
  signature to it. A <a href="glossary.xhtml#digital_signature">digital
  signature</a> allows recipients of the message to verify that the message
  really comes from you and hasn&apos;t been tampered with since you sent
  it.</p>

<p>When you compose a mail message, you can also choose to encrypt it.
  <a href="glossary.xhtml#encryption">Encryption</a> makes it very difficult
  for anyone other than the intended recipient to read the message while it is
  in transit over the Internet.</p>

<p>Signing and encryption are not available for newsgroup messages.</p>

<p>Before you can sign or encrypt a message, you must take these preliminary
  steps:</p>

<ol>
  <li>Obtain one or more <a href="glossary.xhtml#certificate">certificates</a>
    (the digital equivalents of ID cards). For details, see
    <a href="using_certs_help.xhtml#getting_your_own_certificate">Getting Your
    Own Certificate</a>.</li>
  <li>Configure the security settings for your email account. For details, see
    <a href="mailnews_account_settings.xhtml#security">Configuring Your
    Security Settings</a>.
  </li>
</ol>

<p>Once you have completed these steps, you can complete the instructions in
  <a href="#signing_and_encrypting_a_new_message">Signing &amp; Encrypting a 
  New Message</a>.</p>

<p>The sections that follow provide a brief overview of how digital signatures
  and encryption work. For more technical details on this subject, see the
  online document
  <a href="http://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography">Introduction
  to Public-Key Cryptography</a>.</p>

<h3 id="how_digital_signatures_work">How Digital Signatures Work</h3>

<p>A digital signature is a special code, unique to each message, created by
  means of <a href="glossary.xhtml#public-key_cryptography">public-key
  cryptography</a>.</p>

<p>A digital signature is completely different from a handwritten signature,
  although it can sometimes be used for similar legal purposes, such as signing
  a contract.</p>

<p>To create a digital signature for an email message that you are sending, you
  need two things:</p>

<ul>
  <li>A <a href="glossary.xhtml#signing_certificate">signing certificate</a>
    that identifies you for this purpose. Every time you sign a message, your
    signing certificate is included with the message. The certificate includes
    a <a href="glossary.xhtml#public_key">public key</a>. The presence of the
    certificate in the message permits the recipient to verify your digital
    signature.

    <p>Your certificate is a bit like your name and phone number in the
      phonebook&mdash;it is public information that helps other people
      communicate with you.</p>
  </li>
  <li>A <a href="glossary.xhtml#private_key">private key</a>, which is created
    and stored on your computer when you first obtain a certificate.

    <p>Your private key for a signing certificate is protected by your
      <a href="glossary.xhtml#master_password">Master Password</a>, and the
      &brandShortName; program does not disclose it to anyone else. The Mail
      &amp; Newsgroup software uses your private key to create a unique,
      verifiable digital signature for every message you choose to sign.</p>
  </li>
</ul>

<h3 id="how_encryption_works">How Encryption Works</h3>

<p>To encrypt an email message, you must have an
  <a href="glossary.xhtml#encryption_certificate">encryption certificate</a>
  for each of the message&apos;s recipients. The public key in each certificate
  is used to encrypt the message for that recipient.</p>

<p>If you don&apos;t have a certificate for even a single recipient, the
  message cannot be encrypted.</p>

<p>The recipient&apos;s software uses the recipient&apos;s private key, which
  remains on that person&apos;s computer, to decrypt the message.</p>
  
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

<h2 id="getting_other_peoples_certificates">Getting Other People&apos;s
  Certificates</h2>

<p>Every time you send a digitally signed message, your encryption certificate
  is automatically included with the message. Therefore, one of the easiest
  ways to obtain someone else&apos;s certificate is for that person to send you
  a digitally signed message.</p>

<p>When you receive such a message, the person&apos;s certificate is
  automatically stored by the <a href="certs_help.xhtml">Certificate
  Manager</a>, which is the part of the browser that keeps track of
  certificates. This is useful because you need to have a certificate for each
  recipient of any email message that you want to send in encrypted form.</p>

<p>Another way to obtain certificates is to look them up in a public directory,
  such as the <q>phonebook</q> directories maintained by many companies.</p>

<p>It&apos;s also possible to look up certificates automatically.  This feature
  is controlled by
  <a href="mailnews_preferences.xhtml#addressing_preferences">Mail &amp;
  Newsgroups Preferences - Addressing</a> or
  <a href="mailnews_account_settings.xhtml#addressing">Mail &amp; Newsgroups
  Account Settings - Addressing</a>, which can be configured to look up
  recipients&apos; email addresses in a directory.</p>

<p>When you are using any account that is configured to look up addresses in a
  directory, the same directory will be searched for matching certificates when
  you attempt to send an encrypted message to one or more recipients for whom
  you don&apos;t have certificates on file.</p>

<p>The directory will also be searched for missing certificates when you open
  the drop-down menu below the Security icon in the Compose window and choose
  View Security Info.</p>

<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

<h2 id="configuring_security_settings">Configuring Security Settings</h2>

<p>Once you have obtained an email certificate (or certificates), you must
  specify the certificates you want to use for signing and encrypting
  messages.</p> 

<p>For information about obtaining email certificates, see
  <a href="using_certs_help.xhtml#getting_your_own_certificate">Getting Your
  Own Certificate</a>.</p>

<p>To specify which signing and encryption certificates to use with a
  particular account, begin from the Mail window:</p>

<ol>
  <li>Open the Edit menu and choose Mail &amp; Newsgroups Account Settings.</li>
  <li>Click Security under the name of the mail account whose security settings
    you want to configure.</li>
  <li>Under Digital Signing, click Select. (You may be asked to provide your
    <a href="glossary.xhtml#master_password">Master Password</a> before you can
    proceed further.)

    <p>A dialog box appears that allows you to select from among your available
      signing certificates.</p>
  </li>
  <li>Choose the signing certificate you want to use, then click OK.</li>
  <li>Follow the same steps under Encryption: click the Select button, select
    the encryption certificate you want to use, and click OK.</li>

  <p>In some cases you may be able to specify the same certificate under
    Encryption that you specified under Digital Signing; check with your system
    administrator to find out for sure.</p>
</ol>

<p>Optionally, you can also indicate that you normally want to sign or encrypt
  all messages sent from a particular account. These account-specific settings
  are for convenience only; you can override the default settings for
  individual messages.</p>

<p>To configure your default signing and encryption settings, start from the
  Security panel for the account (described above) and select your settings as
  follows:</p>

<ul>
  <li>Under Digital Signing:
    <ul>
      <li><strong>Digitally sign messages</strong>: When this checkbox is
        selected, all the messages you send from this account will be digitally
        signed unless you indicate otherwise before you send the message. To
        turn off this default setting, deselect the checkbox.</li>
    </ul>
  </li>
  <li>Under Encryption (choose one):
    <ul>
      <li><strong>Never</strong>: When this option is selected, messages you
        send from this account will be not be encrypted unless you indicate
        otherwise before you send them.</li>
      <li><strong>Required</strong>: When this option is selected, all the
        messages you send from this account will be encrypted&mdash;but only if
        you have valid certificates for each of the message&apos;s recipients.
        If you don&apos;t have all the necessary certificates, the message
        can&apos;t be sent unless you turn off encryption for that message.</li>
    </ul>
  </li>
</ul>

<p>When you have finished configuring your mail security settings, click OK to
  confirm them.</p>
 
<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

<h2 id="signing_and_encrypting_a_new_message">Signing &amp; Encrypting a New
  Message</h2>

<p>Before you can digitally sign or encrypt any message, you must obtain at
  least one email certificate and configure your mail security settings
  correctly. For background information on these tasks, see
  <a href="#about_digital_signatures_and_encryption">About Digital Signatures
  &amp; Encryption</a>.</p>

<p>The settings specified in
  <a href="mailnews_account_settings.xhtml#security">Mail &amp; Newsgroups
  Account Settings - Security</a> determine the default settings for each new
  Compose window you open when you set out to write an email.</p>

<p>To open a Compose window, start from the Mail window and click Compose. You
  can immediately identify the default security settings from the presence or
  absence of these icons near the lower-right corner of the window:</p>

<table>
  <tr>
    <td><img src="chrome://messenger/skin/smime/icons/hdrSignOk.gif"
      alt="digital signature icon"/></td><td>The message will be digitally
      signed (assuming you have a valid email certificate that
      identifies you).</td>
  </tr>
  <tr>
    <td><img src="chrome://messenger/skin/smime/icons/hdrCryptoOk.gif"
      alt="encryption icon"/></td><td>The message will be encrypted
      (assuming you have valid certificates for all recipients).</td>
  </tr>
</table>

<p>To turn these settings off or on, click the arrow just below the Security
  icon in the Mail toolbar near the top of the window. Then select the item you
  want from the drop-down list:</p>

<ul>
  <li><strong>Do Not Encrypt This Message</strong>: Choose this to turn off
    encryption for this message. The message will not be encrypted when it is
    sent over the Internet.</li>
  <li><strong>Encrypt This Message</strong>: Choose this to turn on encryption
    for this message. The message will be sent in encrypted form. However, it
    can&apos;t be sent unless you have valid certificates for all
    recipients.</li>
  <li><strong>Digitally Sign This Message</strong>: Choose this to turn digital
    signing on or off for this message. A checkmark indicates the message will
    be signed.</li> 
  <li><strong>View Security Info</strong>: Choose this to view detailed
    information about the security status of this message&mdash;to help you
    determine, for example, whether you need to obtain a certificate for one of
    the recipients.</li>
</ul>

<p>To view detailed information about the message&apos;s security status, you
  can also click the key or lock icon as described in
  <a href="#message_security_compose_window">Message Security - Compose
  Window</a>.</p>

<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

<h2 id="reading_signed_and_encrypted_messages">Reading Signed &amp; Encrypted
  Messages</h2>

<p>When you view a signed or encrypted message in the Mail window, these icons
  near the upper-right corner of the message header indicate the security
  status of the message:</p>
  
<table>
  <tr>
    <td><img src="chrome://messenger/skin/smime/icons/hdrSignOk.gif"
      alt="digital signature icon"/></td><td>The message is digitally
      signed and has been validated. If there is a problem with the signature,
      the pen is broken.</td>
  </tr>
  <tr>
    <td><img src="chrome://messenger/skin/smime/icons/hdrSignUnknown.gif"
      alt="unknown icon"/></td><td>The message is signed, but it has a
      large attachment that has not yet been downloaded from the IMAP server.
      As a result, the signature cannot be validated. Click the icon to
      download the attachment and validate the signature.</td>
  </tr>
  <tr>
    <td><img src="chrome://messenger/skin/smime/icons/hdrCryptoOk.gif"
      alt="encryption icon"/></td><td>The message is encrypted. If there
      is a problem with the encryption, the key is broken.</td>
  </tr>
</table>

<p>For information about certificate validation, see
  <a href="using_certs_help.xhtml#controlling_validation">Controlling
  Validation</a>.</p>

<p>To see more detailed information about the message&apos;s security, click
  the key or lock icon, or follow the instructions in
  <a href="#message_security_received_message">Message Security - Received
  Message</a>.</p>

<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

<h2 id="message_security_compose_window">Message Security - Compose Window</h2>

<p>This section describes the Message Security window that you can open for any
  message you are composing. If you&apos;re not already viewing Message
  Security, click the Security icon in the toolbar of the Compose window.</p>

<p>The Message Security window describes how your message will be sent:</p>

<ul>
  <li><strong>Digitally Signed</strong>: This line describes whether your
    message will be signed. There are three possibilities:
    <ul>
      <li><strong>Yes</strong>: Digital signing has been enabled for this
        message, you have a valid certificate identifying you, and the message
        can be signed.</li>
      <li><strong>No</strong>: Digital signing has been disabled for this
        message.</li>
      <li><strong>Not possible</strong>: Digital signing has been enabled for
        this message. However, a valid
        <a href="glossary.xhtml#certificate">certificate</a> identifying you
        for this purpose is not available, or there is some other problem that
        makes signing impossible.</li>
    </ul>
  </li>
  <li><strong>Encrypted</strong>: This line describes whether your message will
    be encrypted. There are three possibilities:
    <ul>
      <li><strong>Yes</strong>: Encryption has been enabled for this message,
        valid certificates for all listed recipients are available, and the
        message can be encrypted.</li>
      <li><strong>No</strong>: Encryption has been disabled or is not possible
        for this message.</li>
      <li><strong>Not possible</strong>: Encryption has been enabled for this
        message. However, a valid certificate for at least one of the listed
        recipients is not available, or no recipients are listed, or there is
        some other problem that makes encryption impossible.</li>
    </ul>
  </li>
</ul>

<p>When you compose a message and select a different account, the signing
  and encryption preferences are updated to reflect the settings of
  the newly selected account.</p>

<p>The Message Security window also lists the certificates available for the
  recipients of your message:</p>

<ul>
  <li><strong>View</strong>: To view the details for any certificate in the
    list, select its name, then click View.</li>
</ul>

<p>For more information about obtaining certificates and configuring message
  security settings, see <a href="#signing_and_encrypting_messages">Signing
  &amp; Encrypting Messages</a>.</p>

<p>To indicate your signing or encryption choices for an individual message,
  click the arrow beside the Security button in the Compose window, then select
  the options you want.</p>

<p>To indicate your default signing and encryption preferences for all
  messages, see <a href="mailnews_account_settings.xhtml#security">Mail &amp;
  Newsgroups Account Settings - Security</a></p>

<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

<h2 id="message_security_received_message">Message Security - Received
  Message</h2>

<p>This section describes the Message Security window that you can open for any
  message you have received. If you&apos;re not already viewing Message
  Security for a received message, follow these steps:</p>

<ol>
  <li>In the Mail window, select the message for which you want to view
    security information.</li>
  <li>Open the View menu and choose Message Security Info.</li>
</ol>

<p>The Message Security window displays the following information:</p>

<ul>
  <li><strong>Digital Signature</strong>: The top section describes whether the
    message is digitally signed and if so, whether the signature is valid.</li>
  
  <p>If validation failed while OCSP was enabled, check the OCSP settings in
    <a href="validation_help.xhtml#privacy_and_security_preferences_validation">Privacy
    &amp; Security Preferences - Validation</a>. If you are not familiar with
    OCSP, confirm the settings with your system administrator. If your settings
    are correct, there may be a problem with the OCSP service or the
    certificate used to create the signature is no longer valid.</p>
  
  <p>If the signature is invalid because of a problem with a certificate&apos;s
    trust settings, you can use the <a href="certs_help.xhtml">Certificate
    Manager</a> to view or edit those settings.</p>

  <li><strong>View Signature Certificate</strong>: If the message is signed,
    click this button to view the certificate that was used to sign it.</li>
  <li><strong>Encryption</strong>: The bottom section reports whether the
    message is encrypted and any decrypting problems.
    <ul>
      <li>If the message&apos;s contents have been altered during transit, you
        should ask the sender to resend it. The changes may have been caused by
        network problems.</li>
      <li>If a copy of your own certificate (used by the sender to encrypt the
        message) is not available on your computer, the private key required to
        decrypt the message cannot be retrieved. The only solution is to import
        a backup copy of your certificate and its private key (see
        <a href="certs_help.xhtml#your_certificates">Your Certificates</a> for
        details.) If you don&apos;t have access to a backup certificate, you
        will not be able to decrypt the message.</li>
    </ul>
  </li>
</ul>

<p>[<a href="#signing_and_encrypting_messages">Return to beginning of
  section</a>]</p>

</body>
</html>
